Ehi l H ki d E t hi ca l H ac ki ng an d Countermeasures Vi 6 V ers i on 6 Module XXXIV Module XXXIV MAC OS X Hacking News EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Source: http://www.zdnet.com.au/ Module Objective This module will familiarize you with: • Introduction to MAC OS V l biliti i MAC OS • V u l nera biliti es i n MAC OS • Worm and Viruses in MAC OS • Anti-Viruses in MAC OS MAC OS S i T l • MAC OS S ecur i ty T oo l s EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Introduction to MAC OS Vulnerabilities in MAC OS Introduction to MAC OS Vulnerabilities in MAC OS Worm and Viruses in MAC OS Anti- V iruses in MAC OS MAC OS Security Tools EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Introduction to MAC OS X Mac OS X is a uni q uel y p owerful develo p ment p latform, brin g in g a 32- qyp p p gg bit and 64-bit architecture and multiprocessor capability to the desktop and server arenas It provides an extremely productive high-level programming environment, Cocoa, combined with the full power of real UNIX Features: • Runtime Flexibility Built on Powerful Frameworks • Advanced Developer Tools • Best Graphics on a Desktop EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited • Best Graphics on a Desktop • Internationally Savvy Vulnerabilities in MAC OS X EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Crafted URL Vulnerability Input validation issue exists in the processing of URL schemes handled by Terminal.app By enticing a user to visit a maliciously crafted web page, an attacker may cause a n app li cat i o n to be l au n c h ed wi t h co n t r o ll ed co mm a n d lin e a r gu m e n ts, whi c h a app cat o to be au c ed t co t o ed co a d e a gu e ts, c may lead to arbitrary code execution This vulnerability affects Apple Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 and v10.5.1, and Mac OS X Server v10.5 and v10.5.1 EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited CoreText Uninitialized Pointer Vulnerability Vulnerability Apple Mac OS X CoreText is a framework for hdli M OS X Ti ( ) d l h an dli ng text on M ac OS X Ti ger ( 10.4 ) an d l ater Mac OS X CoreText fails to properly initialize pointers, which can cause memory corruption Any application that uses the CoreText framework for handling text is vulnerable By convincing a user to view specially crafted text an attacker can execute arbitrary code or cause a EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited an attacker can execute arbitrary code or cause a denial of service on a vulnerable system ImageIO Integer overflow Vulnerability Vulnerability Graphics Interchange Format (GIF) is a popular image format Graphics Interchange Format (GIF) is a popular image format supported by Mac OS X applications ImageIO framework allows applications to read and write various image file formats, including GIF An integer overflow vulnerability exists in the process of handling GIF files By enticing a user to open a maliciously crafted image, an attacker can trigger the overflow, which may lead to an dlii ii bi d i EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited unexpecte d app li cat i on term i nat i on or ar bi trary co d e execut i on DirectoryService Vulnerability The Apple Mac OS X DirectoryService contains a vulnerability This Vulnerability allows an unprivileged LDAP This Vulnerability allows an unprivileged LDAP user to change the local root password EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited [...]... method, attacker can open a properly-formed installer package and user’s system will be open to attack EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Worm and Viruses in MAC OS X EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Worm in MAC: OSX/Leap-A OSX/Leap-A is an instant-messaging worm that attempts to spread... g p and any infected files Other macro viruses can corrupt or delete y p your files, hide certain application , pp functions, and even more EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Anti-Viruses in MAC OS X EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited VirusBarrier Intego VirusBarrier X4 is the non-intrusive... computer opens and writes, as well as watching for suspicious activity that may be the sign of viruses acting on applications or other files It works in background, detects and eradicates all known g , viruses including word and excel viruses, and even viruses targeting the OS EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited VirusBarrier: Screenshot EC-Council... disk space by removing unwanted cookies p y p y g and cache files EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Norton Internet Security: Screenshot EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited MAC OS X Security T l S it Tools EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly... errors exists in the " _cg_TIFFSetField ()" and "PredictorVSetField()" functions when processing malformed TIFF images EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited How a Malformed Installer Package Can Crack Mac OS X An attacker can modify root-owned files, execute commands as root, by y y creating a malicious package and setting the authorization level to... corruption issue exists in the process of handling RAW images By enticing a user to open a maliciously-crafted image, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution y A remote unauthenticated attacker may be able to execute arbitrary code or cause a denial-of-service condition EC-Council Copyright © by EC-Council All Rights Reserved Reproduction... Security and Control It provides warning of outbreak risk across the entire network with automatic email alerts and its security dashboard Unique Behavioral G U i B h i l Genotype P t ti automatically guards against new and t Protection t ti ll d i t d targeted threats by analyzing behavior before code is executed Built-in intrusion-prevention technologies combine to detect malware, suspicious files and. .. will activate and look for devices that accept OBEX Push transfers and tries to send itself to those devices The files com.openbundle.plist and com.pwned.plist are dropped into a location from where they are called during system startup The openbundle plist will unpack the worm components and com pwned plist executes openbundle.plist com.pwned.plist the worms EC-Council Copyright © by EC-Council All... audits and protects the system from p y spyware programs such as keystroke recorders EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited MacScan: Screenshot EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited ClamXav ClamXav is a free virus checker for Mac OS X ClamXav is built upon the popular free ClamAV open source command... handle specially crafted Universal Plug and Play (UPnP) protocol packets A buffer overflow vulnerability exists in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in iChat An unauthenticated attacker on the local network may be able to execute arbitrary code or cause a denial of service EC-Council Copyright © by EC-Council . p latform, brin g in g a 3 2- qyp p p gg bit and 64-bit architecture and multiprocessor capability to the desktop and server arenas It provides an extremely productive high-level programming environment,. OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 and v10.5.1, and Mac OS X Server v10.5 and v10.5.1 EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly. open a properly-formed installer package and user’s system will be open to attack EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited W orm and Viruses